Pending members are emailed about posts

As of v1.5.0.beta10 +105 users who have applied for an account, but are still pending review are getting emailed about user posts.

The users show as

Approved? No
Active? No

but still have ‘user posted’ emails in the logs.

3 Likes

How is it OK for someone who’s requested access to a private site to getting emails about its content?

Here are two pending users… just because the top one has validated the email address (by using google SSO in this case) doesn’t mean its OK for emails to be sent.

Have you checked to see the type of email that’s been sent?

Perhaps just a password reset email?

I’m not even sure if these are counted - but just wanted to put the thought out there.

3 Likes

When I opened the this topic, the logs showed that the user was receiving emails due to user posting & digest.

In this case, the b1000 user in the image only shows a forgot password email, but then, there’s been no posting for about a week now.

will report back once there’s been some action, and update this topic if either user gets an email.

3 Likes

Yes, the activated, but pending, user got an email :thumbsdown:

Is there a security tag on Meta that I could apply to this bug?

should there be?

1 Like

I have no good excuse for why this fell through the cracks but thank you very much for bringing it up again.

Here is a fix, backported to all branches:

https://github.com/discourse/discourse/commit/84f0e5ad4d6cd8e9ee2d97b74f0f1c6092608dc5

7 Likes